Weighted Attribute-Based Proxy Re-Encryption Scheme with Distributed Multi-Authority Attributes

Existing attribute-based proxy re-encryption schemes suffer from issues like complex access policies, large ciphertext storage space consumption, and an excessive authority of the authorization center, leading to weak security and controllability of data sharing in cloud storage. This study proposes a Weighted Attribute Authority Multi-Authority Proxy Re-Encryption (WAMA-PRE) scheme that introduces attribute weights to elevate the expression of access policies from binary to multi-valued, simplifying policies and reducing ciphertext storage space. Simultaneously, the multiple attribute authorities and the authorization center construct a joint key, reducing reliance on a single authorization center. The proposed distributed attribute authority network enhances the anti-attack capability of cloud storage. Experimental results show that introducing attribute weights can reduce ciphertext storage space by 50%, proxy re-encryption saves 63% time compared to repeated encryption, and the joint key construction time is only 1% of the benchmark scheme. Security analysis proves that WAMA-PRE achieves CPA security under the decisional q-parallel BDHE assumption in the random oracle model. This study provides an effective solution for secure data sharing in cloud storage.


Introduction
With technological advancements, internet services are becoming increasingly personalized, open, intelligent, and transparent.Under the driving forces of new technologies like cloud computing, big data, the Internet of Things, and artificial intelligence, user information is exhibiting explosive growth [1].In an open, transparent, and interconnected environment, information security, integrity, confidentiality, availability, and ownership are critical [2].However, traditional computer information storage and sharing methods impose high hardware and software requirements and cause many inconveniences due to low storage efficiency and cumbersome management.To meet the demand for large-capacity storage and sharing, more and more users are opting for cloud storage service platforms based on data centers [3].Nevertheless, cloud storage may face security risks such as information leakage, and it is challenging to ensure the integrity, accuracy, and confidentiality of information [4][5][6].The application of attribute-based encryption technology effectively resolves the limitation of traditional public key encryption in data sharing, where access is either fully authorized or completely prohibited, enabling the development of finer-grained access control [7].Fine-grained access control ensures secure data sharing in multi-user and big-data scenarios.By specifying access policies, it allows only users with specific attributes to gain data access privileges.As illustrated in Figure 1, in a cloud storage system incorporating attribute-based encryption (ABE), the data owner encrypts the data file (File) using an encryption algorithm based on a specific access policy, generating ciphertext (Ct1, Sensors 2024, 24, 4939 2 of 23 Ct2) with the access policy embedded within it.Subsequently, the data owner signs the ciphertext and transmits it in encrypted form for storage with the cloud service provider (CSP).The CSP maintains a table (ciphertext table) containing ciphertext identifiers (Id1, Id2) to facilitate user searches.Users retrieve the corresponding ciphertext from the CSP and attempt decryption using private keys generated by the Attribute Authority (AA).Decryption is successful if the user's attributes (Attr) satisfy the access policy embedded in the ciphertext; otherwise, decryption fails.
Sensors 2024, 24, x FOR PEER REVIEW data owner encrypts the data file (File) using an encryption algorithm based on a s access policy, generating ciphertext (Ct1, Ct2) with the access policy embedded wi Subsequently, the data owner signs the ciphertext and transmits it in encrypted fo storage with the cloud service provider (CSP).The CSP maintains a table (ciphertext containing ciphertext identifiers (Id1, Id2) to facilitate user searches.Users retrie corresponding ciphertext from the CSP and attempt decryption using private keys ated by the Attribute Authority (AA).Decryption is successful if the user s attributes satisfy the access policy embedded in the ciphertext; otherwise, decryption fails.Currently, most cloud storage sharing systems adopt a centralized manag model, where the cloud service provider (CSP) centrally manages all data.If the C counters hardware or software malfunctions or is attacked, it could lead to inform loss, leakage, or service interruption.In contrast, blockchain, as a decentralized, im ble, and unforgeable distributed ledger technology, provides a new option for inform security [8].Blockchain ensures information integrity, non-repudiation, privacy, an per-resistance through decentralized storage, P2P transmission, smart contracts, c sus mechanisms, and encryption techniques.It packages information into blocks, them chronologically using a specific data structure, validates and stores the inform through a consensus mechanism, and uses encryption algorithms to ensure secure mation transmission and interaction.Smart contracts can automatically control s execution, reducing intermediaries and increasing operational transparency.Bloc technology meets the modern demands for sharing, openness, fair competition, a ticity, integrity, security, and reliability [9].Based on the differences in participan consensus mechanisms, blockchain can be categorized into public, consortium, an vate chains [10].Public chains are open blockchains, where anyone can participate work transactions and the consensus process.Public chains typically employ con mechanisms such as Proof of Work (PoW), which require substantial mining eff validate transactions and generate new blocks.Consortium chains are blockchains managed by multiple pre-selected institutions or organizations.Only authorized can participate in the consensus process.Consortium chains generally utilize the R gorithm or other lightweight consensus algorithms, eliminating the need for compu ally intensive mining operations.Consortium chains balance performance and se Currently, most cloud storage sharing systems adopt a centralized management model, where the cloud service provider (CSP) centrally manages all data.If the CSP encounters hardware or software malfunctions or is attacked, it could lead to information loss, leakage, or service interruption.In contrast, blockchain, as a decentralized, immutable, and unforgeable distributed ledger technology, provides a new option for information security [8].Blockchain ensures information integrity, non-repudiation, privacy, and tamper-resistance through decentralized storage, P2P transmission, smart contracts, consensus mechanisms, and encryption techniques.It packages information into blocks, chains them chronologically using a specific data structure, validates and stores the information through a consensus mechanism, and uses encryption algorithms to ensure secure information transmission and interaction.Smart contracts can automatically control system execution, reducing intermediaries and increasing operational transparency.Blockchain technology meets the modern demands for sharing, openness, fair competition, authenticity, integrity, security, and reliability [9].Based on the differences in participants and consensus mechanisms, blockchain can be categorized into public, consortium, and private chains [10].
Public chains are open blockchains, where anyone can participate in network transactions and the consensus process.Public chains typically employ consensus mechanisms such as Proof of Work (PoW), which require substantial mining efforts to validate transactions and generate new blocks.Consortium chains are blockchains jointly managed by multiple pre-selected institutions or organizations.Only authorized nodes can participate in the consensus process.Consortium chains generally utilize the Raft algorithm or other lightweight consensus algorithms, eliminating the need for computationally intensive mining operations.Consortium chains balance performance and security, making them suitable for cross-organizational data sharing and collaboration.Private chains are blockchains entirely controlled by a single organization or institution.
Many scholars have achieved data access control in various scenarios by combining attribute-based encryption and blockchain technologies [11][12][13][14][15][16].However, existing schemes have the following issues: implementing traditional ciphertext-policy attribute-based encryption, which does not allow for the modification of access policies, necessitates data owners to re-encrypt and re-store information on the blockchain, resulting in the accumulation of multiple encryptions and redundant data on the chain; relying on a centralized server for access control and authorization, which is prone to single-point failure; the limited expressiveness of access policies represent only the "satisfaction" or "non-satisfaction" of single attributes, resulting in complex access policies, large ciphertext sizes, and high encryption time costs as the number of attributes in the access policy increases.This study proposes a Weighted Attribute Authority Multi-Authority Proxy Re-Encryption (WAMA-PRE) with the following main contributions: 1.
Incorporating blockchain and attribute-based proxy re-encryption achieves finegrained data access control and storage segregation, transferring access control from the centralized CSP to a decentralized blockchain for enhanced data security.

2.
It improves traditional algorithms by proposing a joint key generation algorithm involving multiple authorities and authorization centers, mitigating a single authorization center's single-point failure.

3.
It proposes weighted attribute representation for access policies, addressing the single attribute "satisfaction/non-satisfaction" limitation, simplifying policies, reducing ciphertext space, and improving encryption speed.

4.
Experimental validation of the WAMA-PRE scheme's storage and time efficiency performance.The scheme's robust security against chosen-plaintext attacks is also verified under the random oracle model.
This paper comprises six sections.The Section 1, the Introduction, presents the research background, articulates the research issue, and outlines the study's contributions.The Section 2, Related Work, reviews the current state of ABE research and its optimization schemes, identifying areas requiring further investigation.The Section 3, the Method, describes the proposed model design, algorithm design, and operational procedures.The Section 4, the Results, describes the experimental environment and presents the experimental outcomes of the proposed model.The Section 5, the Discussion, offers a quantitative analysis of the proposed model's performance and provides a security proof.The Section 6, Conclusions, summarizes the research and presents future research prospects.

Related Work
Sahai et al. [17] adopted a fuzzy identity-based encryption approach and first proposed the concept of ABE, which has since seen substantial development and produced many critical solutions.Current attribute-based encryption schemes are mainly divided into two categories: one is Key-Policy Attribute-Based Encryption (KP-ABE) [18], and the other is ciphertext-policy attribute-based encryption (CP-ABE) [19].Compared to KP-ABE, CP-ABE allows data owners to define flexible access policies, better meeting the data sharing needs in cloud storage, thus promoting the proposal of various CP-ABE schemes.
Wang et al. [20] proposed a file hierarchy attribute-based encryption scheme that utilizes an integrated access structure to encrypt hierarchical files, achieving secure access control for hierarchical shared data.Li et al. [21] proposed a searchable CP-ABE scheme with attribute revocation, preventing receivers from extracting sensitive information from the ciphertext by partially hiding the access structure while realizing attribute revocation and key updates.Feng et al. [22] introduced searchable encryption into attribute-based encryption, proposing a scheme supporting direct user revocation, where a central authority controls access to avoid the security risks of submitting private keys and access structures to the cloud server.Ge et al. [23] introduced data integrity protection into revocable attributebased encryption and verified its confidentiality and integrity.This line of work shifts security risks to the central authority, raising the issue of how to verify the security of the central authority.To address this, Yang et al. [24] proposed a revocable CP-ABE scheme that delegates ciphertext updates and re-encryption to a semi-trusted third party, such as a cloud service provider, providing backward and forward secrecy.Zhang et al. [25] proposed a CP-ABE scheme supporting partial access structure hiding and key revocation, constructing the access structure using linear secret sharing and supporting "AND" and "OR" gate operations for access policies, making encryption and decryption control more flexible.
These attribute-based encryption schemes address the fine-grained access control and transmission confidentiality of cloud storage data to some extent.However, they still need to improve on their low efficiency, inflexible data sharing and delegation operations, inability to update permissions in real-time, and data availability issues.To solve these problems, researchers introduced proxy re-encryption techniques [26], which allow data owners to delegate data access rights to a proxy, enabling more flexible permission management without sharing decryption keys.It makes secure data sharing possible in distributed environments and improves the availability of cloud storage data, protecting data even if the cloud service provider is attacked.
Since the first proxy re-encryption scheme was proposed, proxy re-encryption schemes have made substantial progress over the past decade: schemes based on user identities rather than public keys [27] simplify the public key certificate verification of identitybased encryption but require explicit specification of receivers.Conditional ciphertext transformation based on identity-based encryption realizes partial decryption permission delegation but still in a one-to-one form [28]. Liang et al. [29] extended the conditions and identity descriptions based on proxy re-encryption and attribute encryption, proposing an attribute-based proxy re-encryption scheme and proving its chosen-plaintext security and master key security.Luo et al. [30] designed an attribute-based proxy re-encryption scheme supporting multi-valued negative attributes and wildcards, achieving master key security and access structure control.Concurrently, Mizuno and Doi [31] first proposed an attribute-to-identity mixed scheme.Attribute-based proxy re-encryption integrates the oneto-many access control of attribute-based encryption and the data delegation advantage of proxy re-encryption.However, it relies on a single authorization center, affecting security and efficiency.Introducing multiple attribute authorities [32][33][34] mitigates the security risks associated with centralized authorization.Therefore, Liu et al. [35] designed a Multi-Authority CP-ABPRE (MA-CP-ABPRE) scheme, replacing the single authorization center with multiple authority centers.
However, in terms of attribute matching, the access policies in existing schemes mainly use binary "satisfaction" and "non-satisfaction" representations of attributes, which are unable to accurately express the degree of attribute matching.Considering the different importance of attributes, researchers have proposed Ciphertext-Policy Weighted Attribute-Based Encryption (CP-WABE) schemes [36,37].Fan et al. [38] proposed a scheme supporting multi-state attribute expressions, not only binary states, making attribute expressions more flexible and supporting dynamic joining and updating.Wang et al. [39] introduced the concept of weighted attributes, allowing an extension from binary to any state expression and reducing the complexity of access policies.Additionally, schemes supporting range attributes [40][41][42], such as time, location, and numerical ranges, provide more representative policy expressions.
The abovementioned schemes attempt to improve the accuracy of access policy attribute expressions through attribute refinement, state mapping, weight assignment, and other techniques, enhancing attribute expression capabilities to some extent.However, issues such as low efficiency or limited expression capability persist, with further improvement especially needed in the attribute representation within access policies.

Model Design
This study proposes a WAMA-PRE scheme for distributed multi-attribute authorities, as illustrated in Figure 2. The system comprises the following key components: proxies executing proxy re-encryption operations, modifying existing ciphertex policies, and recording re-encryption operations on the blockchain.
Blockchain Network: The blockchain network stores transactions and me shared data.The metadata includes hash values of encrypted data in cloud stora data requesters download encrypted data from cloud storage, they can verify values to ensure the integrity of the encrypted data.Furthermore, the cryptographic symbols involved in the WAMA-PRE mod are presented in Table 1.Central Authority (CA): The CA is responsible for system initialization, receiving user key components generated by attribute authorities, and generating user keys.It registers each user and maintains a list containing user details to verify user authenticity.
Attribute Authority (AA): Each AA is responsible for generating private and public key pairs for the set of attributes within its domain.An AA can manage multiple attributes, but each attribute is managed by only one AA.AAs also generate user key components related to users' attributes.
Data Owner (DO): The DO has absolute control over their shared data and can customize data access permissions, enabling fine-grained access control.Before uploading data to the cloud storage system, the DO encrypts the data using a defined weighted access policy.
Data Requester (DR): DRs consist of authorized and unauthorized users.Authorized users can decrypt ciphertexts using their attribute private keys.Unauthorized users gain access permissions by sending data-sharing requests to authorized users.When an unauthorized user wants to access encrypted data, an authorized user, acting as a datasharing authorizer, is responsible for reviewing the data-sharing request.They generate a re-encryption key and send it to the orderer node cluster if approved.
Cloud Service Provider: the cloud service provider is responsible for storing ciphertexts uploaded by data owners and maintaining a ciphertext table.
Orderer Node Cluster: The orderer node cluster is crucial to ensuring transaction order consistency in the blockchain system.In this scheme, orderer nodes act as third-party proxies executing proxy re-encryption operations, modifying existing ciphertexts' access policies, and recording re-encryption operations on the blockchain.
Blockchain Network: The blockchain network stores transactions and metadata of shared data.The metadata includes hash values of encrypted data in cloud storage.When data requesters download encrypted data from cloud storage, they can verify the hash values to ensure the integrity of the encrypted data.
Furthermore, the cryptographic symbols involved in the WAMA-PRE model scheme are presented in Table 1.
GlobalSetup(1 k ) → MPK,MSK.Taking the security parameter 1 k as input, it outputs the system public key MPK and the system master key MSK.

2.
AASetup(MPK, U i ) → PK i,j ,SK i,j .Taking the system public key MPK and the attribute set U i managed by the attribute authority AA i as input, it generates the attribute public key PK i,j and the attribute private key SK i,j for each attribute attr j in U i .

3.
KeyGen(MSK, USK i , S) → USK.Taking the system master key MSK, user key component USK i , and attribute set S as input, it outputs the user key USK corresponding to the attribute set S.

WAMA-PRE Execution Policy
The WAMA-PRE process mainly includes four stages: system initialization, data encryption and ciphertext on-chaining, data ciphertext retrieval and decryption, and ciphertext re-encryption.

1.
System Initialization.In the blockchain system, the CA first executes the GlobalSetup function, taking the security parameter 1 k as input, and selects two cyclic groups, G and G T , of prime order p, where g 1 and g 2 are generators of the group G.It randomly chooses a 0 , a 1 , a 2 ∈ Z * p , and e : G × G → G T is a bilinear map.The hash functions are H 1 : {0, 1} * → G and H 2 : G T → Z * p , resistant to collusion.Equations ( 1) and ( 2) show that it outputs the system master key MSK and the system public key MPK.
Let the current attribute authentication center be AA i .AA i executes the AASetup function, taking the system public key MPK and the attribute set U i , managed by the attribute authority AA i , as input.As shown in Equation ( 3), the attribute authority AA i randomly selects h i,j ∈ Z * p as the private key SK i,j for each attribute attr j , and then it generates the attribute public key PK i,j as shown in Equation (4).
when new users join the blockchain system, they first register their identity information with the CA, including their attribute set S and personal information.The CA assigns the user a global user identifier GID and then sends a key construction request to the corresponding AA.After receiving the request, the AA generates the user key component USK i based on the user's attribute information, as shown in Equation ( 5). where After receiving the user key component, the central authority runs the KeyGen algorithm, as shown in Equation ( 6), to generate the user key USK for the user.
where h = h 1 + h 2 + h 3 + . . .+ h k , and k is the number of involved attribute authorities; the attribute key USK is then sent to the user through a secure channel for storage.

2.
Data Encryption and Ciphertext On-Chaining.For the data file File of the DO in the blockchain network, a globally unique file number UFID is generated.A random number ε ∈ G T is chosen, where G T is a cyclic group of prime order p, and the symmetric key key = H 2 (ε) is generated.The symmetric encryption algorithm E key is run, taking the symmetric key key and the data file File as input to generate the data ciphertext CF.
In the weighted access policy, "Attr6:1" represents the minimum threshold of 1 that needs to be met, implicitly including "Attr6:1", "Attr6:2", and "Attr6:3".Compared to the access policy T, the weighted access policy WT reduces the number of attributes by two.Therefore, WT's representation is more flexible and concise.During ciphertext computation, this approach will also decrease the number of attributes, thereby reducing storage space utilization.
In the weighted access policy, "Attr6:1" represents the minimum threshold of 1 that needs to be met, implicitly including "Attr6:1", "Attr6:2", and "Attr6:3".Compared to the access policy T, the weighted access policy WT reduces the number of attributes by two.Therefore, WT s representation is more flexible and concise.During ciphertext computation, this approach will also decrease the number of attributes, thereby reducing storage space utilization.

AND AND Attr6
Attr1 Attr2 and Mi is the i-th row vector of the matrix M.Then, random elements are chosen, and the computation process is shown in Equation (7). ) ) The key ciphertext CT is obtained, as shown in Equation (8).
{( , ), , , ,( , ),...,( , )} The obtained key ciphertext CT and data ciphertext CF are uploaded to the cloud storage system.Then, a smart contract is called to store the metadata = { , , , } cid cid metadata UFID CT CF profile of the shared data in the blockchain system.Here, CTcid and CFcid are the storage addresses of the key ciphertext CT and the data ciphertext CF in the cloud storage system, respectively, and the profile is a brief introduction to the data file.
3. Data Ciphertext Retrieval and Decryption.In the blockchain network, authorized users can freely query the metadata metadata and use the queried metadata to retrieve the corresponding key ciphertext CT and data ciphertext CF from the cloud storage system.For example, let Alice s key be USKAlice.An authorized user calls the Decrypt function, which inputs the original key ciphertext.The specific process is as follows: and I ⊆ {1, ..., l}, if {λi} is a valid share of the secret s according to the matrix M, and the user attribute set S1 = {"Attr1", "Attr2", "Attr6: 3"} is a subset of the weighted access policy WT, where the attributes "Attr1" and "Attr2" satisfy the The DO runs the Encrypt function, taking the system public key MPK, the symmetric key key, and an LSSS access structure (M, ρ) as input, where M is an l × n matrix, and the function ρ maps attributes to the rows of the matrix M. The process is as follows: First, a random shared secret value s ∈ Z * p is chosen, and a random vector v = (s, y 2 , . . . , , where i ∈ {1, . . . ,l}, and M i is the i-th row vector of the matrix M.Then, random elements are chosen, and the computation process is shown in Equation ( 7).
The key ciphertext CT is obtained, as shown in Equation (8).
The obtained key ciphertext CT and data ciphertext CF are uploaded to the cloud storage system.Then, a smart contract is called to store the metadata metadata = {UFID, CT cid , CF cid , pro f ile} of the shared data in the blockchain system.Here, CT cid and CF cid are the storage addresses of the key ciphertext CT and the data ciphertext CF in the cloud storage system, respectively, and the profile is a brief introduction to the data file.

3.
Data Ciphertext Retrieval and Decryption.In the blockchain network, authorized users can freely query the metadata metadata and use the queried metadata to retrieve the corresponding key ciphertext CT and data ciphertext CF from the cloud storage system.For example, let Alice's key be USK Alice .An authorized user calls the Decrypt function, which inputs the original key ciphertext.The specific process is as follows: For I = {i : ρ(i) ∈ S Alice } and I ⊆ {1, . .., l}, if {λ i } is a valid share of the secret s according to the matrix M, and the user attribute set S 1 = {"Attr1", "Attr2", "Attr6: 3"} is a subset of the weighted access policy WT, where the attributes "Attr1" and "Attr2" satisfy the ("Attr1" AND "Attr2") policy, and the weight of "Attr6: 3" is 3, which is greater than the minimum weight of "Attr6" in the access policy, i.e., 1.If the attribute set S Alice satisfies the access structure (M, ρ), i.e., S Alice | = (M, ρ), then there exists a constant set ω i ∈ Z * p such that Equation (9) holds.The intermediate variable is computed using Equation (10).
Sensors 2024, 24, 4939 ∏ i∈I (e(g a 0 λ i (g a 2 ) −r i , g h )e(g r i , g a 2 h )) Then, the symmetric key key is obtained using Equation (11).
Finally, the data file File is output by running the symmetric decryption function, taking the key and CF as input.4.
Re-encryption of Ciphertext.When unauthorized users fail to decrypt, they cannot obtain the data file.In a blockchain network, when an unauthorized user attempts to obtain data, they first need to call a smart contract to acquire the metadata and then send a data-sharing request to an authorized user.This request information includes the metadata to be obtained and the unauthorized user's GID.Upon receiving the request, if the authorized user agrees to share the data, they query the attribute information of the unauthorized user from the CA using their GID.A new weighted access policy NWT{"GID 2 " AND "Attr6:1" AND ("Attr1" AND "Attr2")} is defined, where GID 2 is the globally unique identifier of the unauthorized user, and the access policy restricts access to only this user.As shown in Figure 4, the re-encryption key generation algorithm reKeyGen is run, taking the authorized user's key USK and the new weighted access policy NWT as input and outputting the re-encryption key RK.
Then, the symmetric key key is obtained using Equation (11).Finally, the data file File is output by running the symmetric decryption function, taking the key and CF as input.
4. Re-encryption of Ciphertext.When unauthorized users fail to decrypt, they cannot obtain the data file.In a blockchain network, when an unauthorized user attempts to obtain data, they first need to call a smart contract to acquire the metadata and then send a data-sharing request to an authorized user.This request information includes the metadata to be obtained and the unauthorized user s GID.Upon receiving the request, if the authorized user agrees to share the data, they query the attribute information of the unauthorized user from the CA using their GID.A new weighted access policy NWT{"GID2" AND "Attr6:1" AND ("Attr1" AND "Attr2")} is defined, where GID2 is the globally unique identifier of the unauthorized user, and the access policy restricts access to only this user.As shown in Figure 4, the re-encryption key generation algorithm reKeyGen is run, taking the authorized user s key USK and the new weighted access policy NWT as input and outputting the re-encryption key RK.First, a random shared secret value s ′ ∈ Z * p is chosen, a random vector , where i ∈ {1, . . . ,l ′ } and M ′ i are the i-th row vectors of the matrix M ′ .Then, a random element r ′ 1 , . . ., r ′ l ′ ∈ Z * p is chosen, ∂ ∈ G T is randomly selected, and the computation steps are shown in Equation (12).
where rk A is a component K of the authorizer's attribute key, calculated from the hash value H 2 (∂), random element δ, and generator g 1 , and rk B is derived from the generator g and random element δ. rk C is computed using the authorizer's attribute key component L and hash value H 2 (∂).rk D represents the new weighted access structure and the new ciphertext obtained from Equation (12).rk E denotes the authorizer's attribute set.rk x is the result of calculations involving the authorizer's attribute key component T x and hash value H 2 (∂).
The authorized user then constructs a re-encryption request containing the re-encryption key RK and the metadata and sends it to the ordering node cluster.Upon receiving the re-encryption request from the authorized user, the ordering node cluster runs the reencryption algorithm reEncrypt, taking the key ciphertext CT and the re-encryption key RK as input and outputting the re-encrypted ciphertext RCT.
The specific steps are as follows: For I = {i : ρ(i) ∈ S Alice } and I ⊆ {1, . . . ,l}, if {λ i } are valid shares of the se- cret s based on the matrix M, and the attribute set satisfies the access structure (M, ρ), i.e., S Alice |= (M, ρ) , then there exists a set of constants ω i ∈ Z * p such that Equation ( 9) holds.The ciphertext transformation component ϕ is obtained from Equation (14). ) The computation of the re-encrypted ciphertext RCT is obtained from Equation (15).
The ordering node cluster returns the re-encrypted ciphertext RCT to the authorized user.Upon receiving RCT, the authorized user uploads it to the cloud storage system and calls the smart contract to store the address of RCT, as well as the re-encryption information, including the authorized user's global identifier GID, the unauthorized user's global identifier GID, the original ciphertext information, and the current timestamp, in the blockchain system.After obtaining the re-encrypted ciphertext RCT, the unauthorized user runs the decryption algorithm reDecrypt using their attribute private key, taking RCT and user Bob's attribute key SK Bob as input.The specific steps of the algorithm are as follows: For I ′ = {i : ρ ′ (i) ∈ S Bob } and I ′ ⊆ {1, . . . ,l ′ }, if λ ′ i are valid shares of the secret s ′ based on the matrix M ′ , and the attribute set S Bob satisfies the access structure (M ′ , ρ ′ ), i.e., S Bob |= (M ′ , ρ ′ ) , then there exists a set of constants The value of the preceding variable θ ′ is obtained from Equation (16). )) The essential secret value ∂ is obtained through Equation (17).
The symmetric key key is then computed using Equation ( 18).
Finally, the symmetric decryption function D key is run, taking the symmetric key key and the data ciphertext CF as inputs and outputting the data file File.

Results
The primary hardware environment consists of an Intel(R) Core(TM) i5-8250U CPU @ 1.60 GHz with 12 GB of RAM.The software environment utilizes Java for programming implementation, employing the Java Pairing-Based Cryptography (JPBC) library version 2.0.0.The experiments use a 160-bit elliptic curve group constructed from a 512-bit Type A supersingular curve defined by the equation y 2 = x 3 + x.Performance tests on WAMA-PRE are carried out while controlling the number of attribute authorities and attributes.

Time Overhead
With the number of attributes fixed at two, the number of authorities gradually increased from 2 to 12, with a step size of one.The experiment recorded the execution time, key size, and ciphertext size of WAMA-PRE under different numbers of authorities.As shown in Figure 5, as the number of authorities increases, the execution time of the proposed model's Setup operation does not vary significantly, remaining around 240 ms.This is because the multiple attribute authorities execute the Setup in parallel.The Keygen operation time is short, less than 10 ms, and slightly increases because, as the number of communicating attribute authorities increases, the execution time of Keygen also gradually increases.The execution times of the Encrypt and Decrypt operations vary greatly, increasing linearly with the number of attribute authorities.The increased number of authorities leads to more complex access policies and, consequently, increased computation time.The time for ReKeyGen, ReEncrypt, and ReDecrypt operations also positively correlates with the number of authorities.As the number of authorities increases, computational complexity rises, leading to a notable increase in time overhead.Compared to user re-encryption operations, the proxy re-encryption operation saves 63% of time consumption.
ing linearly with the number of attribute authorities.The increased number of authorities leads to more complex access policies and, consequently, increased computation time.The time for ReKeyGen, ReEncrypt, and ReDecrypt operations also positively correlates with the number of authorities.As the number of authorities increases, computational complexity rises, leading to a notable increase in time overhead.Compared to user re-encryption operations, the proxy re-encryption operation saves 63% of time consumption.

Space Overhead
Figure 6 shows that, as the number of attribute authorities increases, the storage space occupied by the user s private key remains around 994 bits, with slight variation.The user s private key is obtained through group element multiplication.As the number of attribute authorities increases, the number of attributes in the access policy also gradually increases, and the storage space occupied by the ciphertext, which is closely related to the access policy, increases from 3634 bits to 16,816 bits.The sizes of the re-encryption key and re-encrypted ciphertext also slightly increase with the number of attribute authorities.The storage space occupied by the ciphertext, re-encryption key, and re-encrypted ciphertext are all positively correlated with the number of attribute authorities.However, the overall storage space occupied is relatively tiny.

Space Overhead
Figure 6 shows that, as the number of attribute authorities increases, the storage space occupied by the user's private key remains around 994 bits, with slight variation.The user's private key is obtained through group element multiplication.As the number of attribute authorities increases, the number of attributes in the access policy also gradually increases, and the storage space occupied by the ciphertext, which is closely related to the access policy, increases from 3634 bits to 16,816 bits.The sizes of the re-encryption key and re-encrypted ciphertext also slightly increase with the number of attribute authorities.The storage space occupied by the ciphertext, re-encryption key, and re-encrypted ciphertext are all positively correlated with the number of attribute authorities.However, the overall storage space occupied is relatively tiny.

Scalability Analysis
As the number of attribute authorities increases, the Setup operation time remains constant, which is beneficial for system scalability, especially when there are numerous attribute authorities.The Keygen operation time increases slightly but does not exceed ten

Scalability Analysis
As the number of attribute authorities increases, the Setup operation time remains constant, which is beneficial for system scalability, especially when there are numerous attribute authorities.The Keygen operation time increases slightly but does not exceed ten milliseconds at its peak.The time overhead for the Encrypt, Decrypt, ReKeyGen, ReEncrypt, and ReDecrypt operations positively correlates with the number of attribute authorities.Although the time overhead for these operations increases, the actual time consumption remains relatively low.The storage space occupied by ciphertexts, re-encryption keys, and re-encrypted ciphertexts also positively correlates with the number of attribute authorities, but the overall space occupation is small.These results indicate that the WAMA-PRE scheme performs well in terms of scalability.

Performance Analysis with Different Number of Attributes 4.2.1. Time Overhead
With the number of authorities fixed at two, the number of attributes was gradually increased from 2 to 12.The experiment recorded the execution time and key size for each operation as the number of attributes varied.As shown in Figure 7, as the number of attributes increases, the execution time of all operations increases accordingly.Specifically, the execution time of the Setup operation increases from 243 ms to 2504 ms; the execution time of the Keygen operation is minimal, with a maximum of only 14 ms; the execution time of the re-encryption algorithm is reduced by 63% compared to the encryption algorithm; and the execution time of the decryption algorithm is not significantly different from that of the re-decryption algorithm.

Space Overhead
Figure 8 shows that, as the number of attributes increases, the storage space occupied by the user s key remains relatively stable.In contrast, the storage space occupied by the ciphertext, re-encryption key, and re-encrypted ciphertext gradually increases, with the ciphertext storage space increasing from 3639 bits to 27,383 bits.The sizes of the re-encryption key and ciphertext slightly increase with the number of attributes.The storage space occupied by the ciphertext, re-encryption key, and re-encrypted ciphertext are all positively correlated with the number of attribute authorities.However, the overall storage space occupied is relatively tiny.

Space Overhead
Figure 8 shows that, as the number of attributes increases, the storage space occupied by the user's key remains relatively stable.In contrast, the storage space occupied by the ciphertext, re-encryption key, and re-encrypted ciphertext gradually increases, with the ciphertext storage space increasing from 3639 bits to 27,383 bits.The sizes of the reencryption key and ciphertext slightly increase with the number of attributes.The storage space occupied by the ciphertext, re-encryption key, and re-encrypted ciphertext are all positively correlated with the number of attribute authorities.However, the overall storage space occupied is relatively tiny.
ciphertext, re-encryption key, and re-encrypted ciphertext gradually increases, with the ciphertext storage space increasing from 3639 bits to 27,383 bits.The sizes of the re-encryption key and ciphertext slightly increase with the number of attributes.The storage space occupied by the ciphertext, re-encryption key, and re-encrypted ciphertext are all positively correlated with the number of attribute authorities.However, the overall storage space occupied is relatively tiny.

Scalability Analysis
As the number of attributes increases, the time overhead for the Setup operation continues to rise.However, considering that the Setup operation typically needs to be executed only once, this growth is within an acceptable range.It has a limited impact on the entire system's real-time performance.The time overhead for the Keygen operation is minimal, with a maximum of only 14 ms, ensuring the scheme's scalability regarding key generation.The growth in time overhead for the Encrypt, Decrypt, ReKeyGen, ReEncrypt, and ReDecrypt operations is also controllable.The storage space occupied by user private keys remains relatively stable, implying that the size of private keys is essentially unaffected by the increase in the number of attributes.The storage space occupied by ciphertexts increases with the number of attributes; nevertheless, considering modern storage technology advancements and network bandwidth advancements, this growth remains acceptable.The storage space occupied by re-encryption keys and re-encrypted ciphertexts also increases slightly with the number of attributes.However, the overall space occupation is small, indicating that the WAMA-PRE scheme has good scalability regarding storage requirements.The growth in time and space overhead of the WAMA-PRE scheme is within an acceptable range, making the scheme suitable for handling an increasing number of attributes and meeting the scalability requirements in practical applications.

Quantitative Analysis
WAMA-PRE employs a weighted access policy, which, compared to traditional unweighted access policies, offers the advantages of more concise expression and lower storage space utilization.To discuss the difference between the two in terms of storage space usage, as illustrated in Figure 9, the weighted access policy (Weight) demonstrates a 50% reduction in storage space occupation compared to the traditional unweighted access policy (Old).
To further analyze and compare the performance of WAMA-PRE, this study conducted comparative experiments with the schemes proposed by Yang [43] and Banerjee [44].Under controlled numbers of attribute authorities and attributes, the performance of different schemes was tested, with all thresholds in the access structure set to AND, representing the worst-case scenario for the algorithm.
WAMA-PRE employs a weighted access policy, which, compared to traditional unweighted access policies, offers the advantages of more concise expression and lower storage space utilization.To discuss the difference between the two in terms of storage space usage, as illustrated in Figure 9, the weighted access policy (Weight) demonstrates a 50% reduction in storage space occupation compared to the traditional unweighted access policy (Old).To further analyze and compare the performance of WAMA-PRE, this study conducted comparative experiments with the schemes proposed by Yang [43] and Banerjee [44].Under controlled numbers of attribute authorities and attributes, the performance of different schemes was tested, with all thresholds in the access structure set to AND, representing the worst-case scenario for the algorithm.
As shown in Figure 10, when the number of attributes is fixed, and the number of authorities is gradually increased, the time efficiency of Banerjee s scheme is better than Yang s scheme.However, when the number of authorities is fixed, and the number of attributes is gradually increased, the time efficiency of Yang s scheme is better than Banerjee s scheme.Regardless of whether the number of attribute authorities or attributes As shown in Figure 10, when the number of attributes is fixed, and the number of authorities is gradually increased, the time efficiency of Banerjee's scheme is better than Yang's scheme.However, when the number of authorities is fixed, and the number of attributes is gradually increased, the time efficiency of Yang's scheme is better than Banerjee's scheme.Regardless of whether the number of attribute authorities or attributes is controlled, the execution time of WAMA-PRE's KeyGen operation is significantly lower than the other two schemes.
Sensors 2024, 24, x FOR PEER REVIEW 1 is controlled, the execution time of WAMA-PRE s KeyGen operation is significantly than the other two schemes.This study compared the execution times of the Encrypt and Decrypt operatio the three schemes under controlled numbers of attribute authorities and attribut shown in Figure 11a, as the number of authorities increases, the encryption time three schemes grows linearly, with WAMA-PRE s time consumption lower than Y scheme but slightly higher than Banerjee s scheme.Figure 11b shows that, as the nu of authorities increases, the decryption time of WAMA-PRE is close to Yang s schem lower than Banerjee s scheme.Figure 11c shows that, as the number of attributes incr the encryption time of WAMA-PRE is lower than Yang s scheme but slightly highe Banerjee s scheme.As shown in Figure 11d, as the number of attributes increases, th cryption time of WAMA-PRE is slightly higher than Yang s scheme.This study compared the execution times of the Encrypt and Decrypt operations for the three schemes under controlled numbers of attribute authorities and attributes.As shown in Figure 11a, as the number of authorities increases, the encryption time of all three schemes grows linearly, with WAMA-PRE's time consumption lower than Yang's scheme but slightly higher than Banerjee's scheme.Figure 11b shows that, as the number of authorities increases, the decryption time of WAMA-PRE is close to Yang's scheme and lower than Banerjee's scheme.Figure 11c shows that, as the number of attributes increases, the encryption time of WAMA-PRE is lower than Yang's scheme but slightly higher than Banerjee's scheme.As shown in Figure 11d, as the number of attributes increases, the decryption time of WAMA-PRE is slightly higher than Yang's scheme.Overall, the time cost of encryption and decryption in WAMA-PRE is lower than Banerjee s scheme but slightly higher than Yang s scheme.This is because WAMA-PRE supports proxy re-encryption, which requires additional computations.However, proxy re-encryption saves significant time and space in subsequent access policy updates.
This study analyzed the storage space occupied by the private keys of different schemes, with the results shown in Figure 12.Regardless of whether the number of attribute authorities or attributes is controlled, the storage space occupied by WAMA-PRE s private key is the smallest.Specifically, when the number of authorities is fixed, Yang s scheme occupies the most significant storage space; when the number of attributes is fixed, Banerjee s scheme occupies the most significant storage space.Overall, the time cost of encryption and decryption in WAMA-PRE is lower than Banerjee's scheme but slightly higher than Yang's scheme.This is because WAMA-PRE supports proxy re-encryption, which requires additional computations.However, proxy re-encryption saves significant time and space in subsequent access policy updates.
This study analyzed the storage space occupied by the private keys of different schemes, with the results shown in Figure 12.Regardless of whether the number of attribute authorities or attributes is controlled, the storage space occupied by WAMA-PRE's private key is the smallest.Specifically, when the number of authorities is fixed, Yang's scheme occupies the most significant storage space; when the number of attributes is fixed, Banerjee's scheme occupies the most significant storage space.
A comparison was made with the scheme proposed by Liu et al. [35], with the results shown in Figure 13. Figure 13a shows that the computational efficiency of the re-encryption algorithm in this paper's scheme is 53% higher than that of Liu's scheme, and Figure 13b shows that the computational efficiency of the re-decryption algorithm in this paper's scheme is 32% higher than that of Liu's scheme.A comparison was made with the scheme proposed by Liu et al. [35], with the results shown in Figure 13. Figure 13a shows that the computational efficiency of the re-encryption algorithm in this paper s scheme is 53% higher than that of Liu s scheme, and Figure 13b shows that the computational efficiency of the re-decryption algorithm in this paper s scheme is 32% higher than that of Liu s scheme.

Functional Comparison
This study compared and analyzed the functionality of WAMA-PRE with Yang s and Banerjee s schemes, with the results shown in Table 2.It can be seen that, although Yang s and Banerjee s schemes also introduced multiple attribute authority centers, they cannot realize the re-encryption function.Additionally, the WAMA-PRE scheme adopts the LSSS access structure, enabling more flexible access policies without affecting efficiency, and introduces a weighted access policy, which, with the same access control effect, results in a more concise access policy and lower ciphertext space usage.A comparison was made with the scheme proposed by Liu et al. [35], with the resu shown in Figure 13. Figure 13a shows that the computational efficiency of the re-encry tion algorithm in this paper s scheme is 53% higher than that of Liu s scheme, and Figu 13b shows that the computational efficiency of the re-decryption algorithm in this pape scheme is 32% higher than that of Liu s scheme.

Functional Comparison
This study compared and analyzed the functionality of WAMA-PRE with Yang s a Banerjee s schemes, with the results shown in Table 2.It can be seen that, although Yan and Banerjee s schemes also introduced multiple attribute authority centers, they cann realize the re-encryption function.Additionally, the WAMA-PRE scheme adopts the LS access structure, enabling more flexible access policies without affecting efficiency, a introduces a weighted access policy, which, with the same access control effect, results a more concise access policy and lower ciphertext space usage.

Functional Comparison
This study compared and analyzed the functionality of WAMA-PRE with Yang's and Banerjee's schemes, with the results shown in Table 2.It can be seen that, although Yang's and Banerjee's schemes also introduced multiple attribute authority centers, they cannot realize the re-encryption function.Additionally, the WAMA-PRE scheme adopts the LSSS access structure, enabling more flexible access policies without affecting efficiency, and introduces a weighted access policy, which, with the same access control effect, results in a more concise access policy and lower ciphertext space usage.3, compared to other schemes, the system public key, system master key, and user key in this paper's system have significant advantages in terms of storage overhead.

Security Model Discussion
This study uses the AES symmetric encryption algorithm to encrypt plaintext information and employs a multi-authority weighted attribute-based proxy re-encryption algorithm to encrypt the symmetric key.Therefore, it is only necessary to provide security proof for the multi-authority weighted attribute-based proxy re-encryption.This paper defines a selective access structure and chosen-plaintext attack (SAS-CPA) security game between an adversary R and a challenger C, with the following specific steps: Initialization: the adversary R selects a weighted access structure (M, ρ) and sends it to the challenger C.
Setup: The challenger C runs GlobalSetup to output the system master key MSK and public key MPK.The system public key MPK is then sent to the adversary R. For each attribute attr j , the attribute authority AA i randomly selects h i,j ∈ Z * p as the key SK i,j and generates the attribute public key PK i,j .
Query Phase I: The adversary R makes the following queries, and C responds according to the following rules: (1) Attribute key extraction query Q SK (S * 1 ): given an attribute set S 1 * , C obtains the user key components from each attribute authority, runs the KeyGen algorithm to generate the user key USK R , and sends it to R.
( C randomly selects σ ∈ {0, 1}, runs the Encrypt algorithm with input m σ , the weighted access structure (M, ρ), and the system public key MPK to generate the ciphertext CT, and then it returns CT to R.
Query Phase II: R repeats the operations of Query Phase I. Guess: R guesses σ * ∈ {0, 1}.If σ * = σ, then R wins the game.As shown in Equation (19), the advantage of R winning the game is calculated.

Security Proof
Definition 1.If an adversary can only win the SAS-CPA security game with a negligible advantage in any probabilistic polynomial time, the scheme is indistinguishable under a selective access structure and chosen-plaintext attack; i.e., the scheme is provably indistinguishable under the selective access structure and chosen-plaintext attack (IND-SAS-CPA) secure in the random oracle model.
Theorem 1.If an adversary R can win the SAS-CPA security game with a non-negligible advantage µ in any probabilistic polynomial time, then there exists a challenger C that can solve the decisional q-parallel BDHE problem with an advantage of µ/2.
Proof of Theorem 1.In the SAS-CPA security game, the challenger C chooses two multiplicative cyclic groups G and G T of prime order p, a random generator g ∈ G, a bilinear map e : G × G → G T , a q-parallel BDHE instance ξ, and T. Initialization: R sends the challenged weighted access structure (M * , ρ * ) to C, where M * is an l * × n * matrix, l * , n * ≤ q.
Setup: C chooses α ′ 1 , γ ∈ Z * p and sets g 1 = g γ , e(g, g) a 1 = e(g a 1 , g a q 1 ) • e(g, g a 1 ′ ).C selects hash functions H 1 and H 2 and sends the system public key MPK = {p, G, G T , g 1 , g, g a 0 , e, H 1 , H 2 , e(g, g) a 1 , g a 2 } to R. C simulates random oracles H j (j ∈ {1, 2}), controlled by C. If R queries H j , C responds according to the following rules: H 1 : For a query on x ∈ U AA i (U AA i is the set of all attributes of attribute authority AA i ), if there exists a tuple (x, z x , ∂ 2,x ) in the H 1 list, C returns the existing ∂ 2,x to R, where z x ∈ Z * p , ∂ 2,x ∈ G. Otherwise, C constructs ∂ 2,x as follows: Let X be the set of indices i such that ρ * (i) = x.X contains the same attribute x corresponding to the row labels in matrix M * .C chooses z x ∈ Z * p and sets the value of ∂ 2,x as shown in Equation ( 20).
Then, C constructs K using Equation ( 22) and obtains a valid verification for K using Equation (23).
If x∈S 1 * , and for all i ∈ {1, . . . ,l * }, ρ * (i) ̸ = x, C sets T x = L z x .Then, T is computed as shown in Equation ( 24) if X is non-empty or as shown in Equation (25).
It is defined that T • e(g s , g a

Figure 1 .
Figure 1.Access control schema for cloud storage data.

Figure 1 .
Figure 1.Access control schema for cloud storage data.

Figure 3 .
Figure 3. Access policies.(a) Standard access policy T; (b) weighted access policy WT.The DO runs the Encrypt function, taking the system public key MPK, the symmetric key key, and an LSSS access structure

Figure 3 .
Figure 3. Access policies.(a) Standard access policy T; (b) weighted access policy WT.

Figure 5 .
Figure 5. Algorithm running time with different numbers of attribute authorities.

Figure 5 .
Figure 5. Algorithm running time with different numbers of attribute authorities.

Sensors 2024 , 25 Figure 6 .
Figure 6.Storage space occupancy with different numbers of attribute authorities.

Figure 6 .
Figure 6.Storage space occupancy with different numbers of attribute authorities.

Sensors 2024 , 25 Figure 7 .
Figure 7. Algorithm running time with different numbers of attributes.

Figure 7 .
Figure 7. Algorithm running time with different numbers of attributes.

Figure 8 .
Figure 8. Storage space occupancy with different numbers of attributes.Figure 8. Storage space occupancy with different numbers of attributes.

Figure 8 .
Figure 8. Storage space occupancy with different numbers of attributes.Figure 8. Storage space occupancy with different numbers of attributes.

Figure 10 .
Figure 10.Time consumption of Keygen operations in different schemes.(a) With fixed num attributes; (b) with fixed number of authorities.

Figure 10 .
Figure 10.Time consumption of Keygen operations in different schemes.(a) With fixed number of attributes; (b) with fixed number of authorities.

Figure 11 .
Figure 11.Time consumption of encryption and decryption operations in different schemes.(a) Encryption operation with fixed number of attributes; (b) encryption operation with fixed number of authorities; (c) decryption operation with fixed number of attributes; (d) decryption operation with fixed number of authorities.

Figure 11 .
Figure 11.Time consumption of encryption and decryption operations in different schemes.(a) Encryption operation with fixed number of attributes; (b) encryption operation with fixed number of authorities; (c) decryption operation with fixed number of attributes; (d) decryption operation with fixed number of authorities.

Figure 12 .
Figure 12.Storage space occupancy in different schemes.(a) With fixed number of attributes; (b) with fixed number of authorities.

Figure 12 .
Figure 12.Storage space occupancy in different schemes.(a) With fixed number of attributes; (b) with fixed number of authorities.

Figure 12 .
Figure 12.Storage space occupancy in different schemes.(a) With fixed number of attributes; with fixed number of authorities.

Figure 13 .
Figure 13.Computational efficiency comparison of re-encryption and encryption operations.(a) R encryption algorithm; (b) re-decryption algorithm.

∂ 2 , 2 :
x = g z x • ∏ i∈X g a 1 •M * i,1 /b i +a 2 1 •M * i,2 /b i +...+a n * 1 •M * i,n * /b i (20) If X is empty, C sets ∂ 2,x = g z x .C returns ∂2,x to R and adds the tuple (x, z x , ∂ 2,x ) to the H 1 list.H For a query on ∂ ∈ G T , if a tuple (∂, b * ) exists in the H 2 list, C sends the existing value b * to R, where b ∈ Z * p .Otherwise, C sets H 2 (∂) = b * , returns b * to R, and adds the tuple (∂, b * ) to the H 2 list.Query Phase I: R makes a series of queries to C, and C responds according to the following rules: Secret Key Query Q SK (S * 1 ): R constructs a user secret key USK R for the attribute set S 1 * as follows: If S 1 * | = (M * , ρ * ), C randomly outputs {0, 1} and aborts the game.Otherwise, C chooses a random element r s ∈ Z * p and finds a vector ω = (ω 1 , . . ., ω n * ) ∈ Z * p such that ω 1 = −1 and ω • M * = 0 for ∀i, ρ * (i) ∈ S * 1 .C sets L, as shown in Equation (21).L = g r S • ∏ i=1,...,n * g a q+1−i 1 ∑ i∈X ∑ j=1,...,n * ω j •M * i,j /b i ) = g 0 = 1(26)Finally, C adds the tuple (S * 1 , USK R ) to the list and sends USK R to R. Re-encryption Key Query Q RK (S * 2 , (M, ρ)): R queries Q RK with an attribute set S 2 * and a weighted access structure (M, ρ).If S 2 * | ̸ = (M * , ρ * ), C first runs Q RK to obtain a user secret key and then outputs a re-encryption key RK S * 2 →(M,ρ) in two steps: Step 1:C chooses δ, b ∈ Z * p , K ∈ G. C computes the re-encryption key rk A = K • g δ 1 , rk B = g δ , rk C = g b , rk x = ∂ b 2,x , rk E = S * 2 , where ∂ b 2,x is the output of querying H 1 on x, for x ∈ S 2 , and constructs rk D .

Table 1 .
Cryptographic symbols used in the scheme.

Table 2 .
Functionality comparison of schemes.